RE: browser redirection to forward.domainname.at

From: Baaits (Baaits@bigfoot.com)
Date: 01/26/02


From: "Baaits" <Baaits@bigfoot.com>
To: <focus-ms@securityfocus.com>
Date: Sat, 26 Jan 2002 02:02:39 +0100

Ran into this info:

[11.1.3] What about spoofin DNS against NT?

By forging UDP packets, NT name server caches can be compromised. If
recursion is allowed on the name server, you can do some nasty things.
Recursion is when a server receives a name server lookup request for a
zone or domain for which is does not serve. This is typical how
most setups for DNS are done.

So how do we do it? We will use the following example:

We are root on ns.nmrc.org, IP 10.10.10.1. We have pirate.nmrc.org with
an address of 10.10.10.2, and bait.nmrc.org with an address of
10.10.10.3. Our mission? Make the users at lame.com access
pirate.nmrc.org when they try to access www.lamer.net.

Okay, assume automation is at work here to make the attack smoother...

- DNS query is sent to ns.lame.com asking for address of bait.nmrc.org.
- ns.lame.com asks ns.nmrc.org what the address is.
- The request is sniffed, and the query ID number is obtained from the
request packet.
- DNS query is sent to ns.lame.com asking for the address of
www.lamer.net.
- Since we know the previous query ID number, chances are the next query
ID number will be close to that number.
- We send spoofed DNS replies with several different query ID numbers.
These replies are spoofed to appear to come from ns.lamer.net, and state
that its address is 10.10.10.2.
- pirate.nmrc.org is set up to look like www.lamer.net, except maybe it
has a notice to "go to the new password page and set up an account and
ID".
Odds are this new password is used by that lame.com user somewhere
else...

With a little creativity, you can also do other exciting things like
reroute (and make copies of) email, denial of service (tell lame.com
that www.lamer.net doesn't exist anymore), and other fun things.

Supposedly Service Pack 3 fixes this.

-----Original Message-----
From: Steuernagel.Jason [mailto:Jason.Steuernagel@IGT.com]
Sent: 28 February 2002 18:22
To: 'Anthony Buser'; Matthew.van.Eerde@hbinc.com;
focus-ms@securityfocus.com
Subject: RE: browser redirection to forward.domainname.at

I ran into a similar issue about a year ago with some of our DNS. Our
cache
was being poisoned and we were getting the same event messages. We also
found that our root cache had been changed, resulting in lookups
beginning
in the wrong place (which then handed back incorrect information
regarding
domains)

We looked all over for a description of what was happening (didn't find
one)
and ended up adding some additional security to our DNS, which needed to
be
set within the registry (this was nt 4.0 dns (2000 may have these
options
available). We turned off caching (MaxCacheTtl, set all of our zones to
only accept transfers from servers we specified -SecureResponses, &
disabled
our root cache from dynamically updating - AutoCacheUpdate) these
registry
keys are discussed in this kb article.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q198408

-----Original Message-----
From: Anthony Buser [mailto:ABuser@UnConundrum.com]
Sent: Wednesday, February 27, 2002 2:36 PM
To: Matthew.van.Eerde@hbinc.com; focus-ms@securityfocus.com
Cc: focus-virus@securityfocus.com
Subject: RE: browser redirection to forward.domainname.at

We are having the exact same problem as this today! Glad (sort of) that
I'm
not alone. My research has turned up virtually no other discussion
relating
to this.

The problem definitly appears to be dns poisoning. We're running win2k
DNS.
Clearing the cache on the DNS servers and doing an ipconfig /flushdns on
the
workstations fixed the problem. However it did start to creep back and
started happening again this afternoon.

When we check the DNS event viewer logs, we keep seeing the following
messages:

"event id: 5504, The DNS server encountered an invalid domain name in a
packet from x.x.x.x. The packet is rejected."

From the following ip addresses over and over again:

63.239.93.60
63.239.93.61
66.60.156.146

All of which appear to belong to the University of New Haven. I tried
contacting them via email but all addresses to newhaven.com appear to
fail.
I have contacted upstream people, awaiting response. That last ip
address
66.60.156.146 worries me that someone is messing around because it lists
courses having to do with firewalls, viruses, and cyberterrorism (gah!).

I'm running snort, but it hasn't seemed to pick up anything unusual.

I tried running tcpdump on our linux firewall to try and see what's
going
on. Unfortunately I'm not very experienced with reading tcpdump output,
so
I don't quite know whats going on:

tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61

13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net.
MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net.,
all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl 53, id 17536)
13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net.
MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net.,
all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl 52, id 17536)
13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX
all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net.,
all.net.
PTR localhost., all.net. (153) (ttl 57, id 39714) 13:37:48.314972 eth2 >
0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 63.239.93.61.domain >
INTERNALIP.1063:
14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A
204.181.12.215,
all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl
56,
id 39714) 13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX
all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net.,
all.net.
PTR localhost., all.net. (153) (ttl 57, id 16316) 13:37:52.339350 eth2 >
0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 63.239.93.60.domain >
INTERNALIP.1063:
14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A
204.181.12.215,
all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl
56,
id 16316)

Unfortunately I'm not knowledgable enough to understand what tcpdump is
saying to me.

-----Original Message-----
From: Matthew.van.Eerde@hbinc.com [mailto:Matthew.van.Eerde@hbinc.com]
Sent: Tuesday, February 26, 2002 11:29 AM
To: focus-ms@securityfocus.com
Cc: focus-virus@securityfocus.com
Subject: browser redirection to forward.domainname.at

A strange problem is surfacing on our network. Users will type in a
website
they have been to before, and they will be forwarded to

http://forward.domainname.at/http://212.69.172.16/forward.php
and then to
http://212.69.172.16/forward.php

Have we been hit by a virus? Or is there some name resolution hack on
the
internet?

Typing in the ip address of a site
http://216.168.252.86 for http://www.verisign.com for example goes to
the
correct site. nslookup prompts from the command line yeild the correct
IP
address.

Workstations are Windows 2000 Professional SP2 with IE 6.

Matthew van Eerde
Software Engineer



Relevant Pages